1 / 24

Puzzle Algorithms

Puzzle Algorithms. Presented by Ed Kaiser. Papers. [1] Time-lock Puzzles and Timed-Release Crypto (1996) Ronald Rivest, Adi Shamir, David Wagner [2] Moderately Hard, Memory-bound Functions (2002) Martin Abadi, Mike Burrows, Mark Manasse, T. Wobber. Overview.

jfarrington
Download Presentation

Puzzle Algorithms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Puzzle Algorithms Presented by Ed Kaiser

  2. Papers • [1] Time-lock Puzzles and Timed-Release Crypto (1996) Ronald Rivest, Adi Shamir, David Wagner • [2] Moderately Hard, Memory-bound Functions (2002) Martin Abadi, Mike Burrows, Mark Manasse, T. Wobber

  3. Overview • Outline methods for accurately controlling the earliest time that an agent can access data or service

  4. Paper 1: Time-lock Puzzles AndTimed-release Crypto • Goal is to “send information into the future”

  5. Meet The Team Ronald L. Rivest MIT Professor • co-inventor of RSA Adi Shamir Weizmann Institute Professor • co-inventor of RSA David A. Wagner UC Berkeley Assistant Professor

  6. Sending InformationInto The Future • Present two methods: 1) Time-lock puzzles where the answer is used as the key to decrypt cipher text 2) Using trusted agents to encrypt data and only release the key at the agreed upon time

  7. Time-lock puzzles • Puzzle answer is the key for decryption • Use a puzzle that is sequential in solution but has a trap-door in creation; • Repeated squaring

  8. Creating The Puzzle • Use two large prime numbers (p & q) to create a large psuedo-prime modulus n • Then the puzzle of finding b = a2t (mod n) can be broken down into two easier tasks; e = 2t (mod (p-1)(q-1)) b = ae (mod n)

  9. Trusted Agents • Previous methods involve “escrow agents” who hold onto all or part of the secret message or key • Requires state to be maintained on agents for an indefinite period of time (possibly forever) • No lower bounds on the stability of the agents

  10. Proposed Method • Trusted agent (i) encrypts data (y) given a desired time it should become public (t) • At time t, publish the key (Sit) allowing decryption of any messages that trusted agent encrypted for that time • Trusted agents generate keys such that earlier keys can be easily derived from them but future keys cannot

  11. Avoiding Corruption • Break a message (M) into d smaller pieces such that only θ pieces are necessary to reconstruct it and distribute those pieces to different agents • Need greater than d-θ agents to fail for the message to be lost • Need greater than θ agents to be corrupted before the message can be released too early

  12. Good Idea … • Recursion is a good way of disallowing parallelization • Generation of keys which give away previous keys but not future ones

  13. ... Interesting … • “Solving a puzzle should be like having a baby: two women can’t have a baby in 4.5 months”

  14. … Bad Idea • Requires trap-door for efficient verification • Without the server storing state about client puzzles; tverification = tsolution • Not instantly solvable at the intended time • Solution time is only roughly controllable • Requires a deployed service which is willing to do work (encryption) for you, and can be DoS’d

  15. Paper 2: Moderately Hard, Memory-bound Functions • Goal is to create a puzzle with low variation in solution time between very different CPUs by using RAM instead • Current CPUs are very variable (10x to 100x) • Current RAM is much less variable (2x to 10x)

  16. Meet The Team Martin Abadi UC Santa Cruz Prof Mike Burrows Senior Microsoft Researcher Mark Manasse Senior Microsoft Researcher Ted Wobber Senior Microsoft Researcher

  17. Forcing Clients To Use RAM • Create a puzzle which is easy to cheat on; • Solving the puzzle is hard for all CPUs • Creating a table in memory that facilitates easily looking up answers is possible • Define a function F() that; • Uniformly maps L bits into L bits • F-1() cannot be computed faster than a RAM access

  18. Creating A Puzzle Using F() • Puzzle: solve F-1() k times • Use recursive puzzle: xi+1=F(xi) • Uses less data to communicate puzzle • Forces sequential solution • If F() generates cycles, or the client creates a table with “ladders”, lookups required < k • Strengthen recursion: xi+1=F(xi) XOR i • Encodes step number into each answer

  19. Problem With Ambiguity • Possibly exists j ≠ k such that F(j) = F(k) • There could be more than one legitimate answer to the puzzle then: • Accept any valid answer • Create a checksum for the path to the intended answer

  20. 5 Puzzle Refinements • Don’t save state of each issued puzzle: use a secure hash of the answer and a server secret • Vary F() over time: to avoid trusting a single function for too long • Create a composite puzzle: more puzzles minimizes variation in solution time • Make the puzzle more vague: provide less information to make it more difficult • Use several different F(): same as #4

  21. Experimental Results

  22. Good Idea … • Also suggests using recursion (“chaining”) • XORing the step number into the answer • Hashing answer and secret to reduce state on server

  23. … Interesting … • Varying F() over time • Results show improvement, but not overwhelming success

  24. … Bad Idea • Creating a composite puzzle • Making puzzles more vague

More Related